Microsoft Battles Cyber Criminals

Microsoft launched a novel legal assault to take down a global network of PCs suspected of spreading spam and harmful computer code, adding what the company believes could become a potent weapon in the battle against cyber criminals.

But security experts say it isn't yet clear how effective Microsoft's approach will be, while online rights groups warn that the activities of innocent computer users could be inadvertently disrupted.

On Monday, a federal judge in Alexandria, Va., granted Microsoft's request for an order to deactivate hundreds of Internet addresses that the company linked to an army of tens of thousands of PCs around the globe, infected with computer code that allows them to be harnessed to spread spam, malicious virus programs and mount mass attacks to disable Web sites.

The court order was issued under seal—a rare move in civil cases of this nature—to allow the company to secretly sever communications channels among the computers before the network's operators could re-establish contact with the machines.

Microsoft's move is the latest escalation in a continuing battle against cyber crime, whose perpetrators have proved adept at using the Internet and an array of technical tools to evade law enforcement. Electronic nuisances like spam have become potent tools for profit by professional hackers, tricking PC users into passing on harmful software and disclosing credit-card numbers, passwords and other valuable personal information.

In one high-profile incident, Google Inc. last month disclosed attacks against the Internet giant and other major U.S. companies that it linked to China. Chinese officials deny any involvement.

Microsoft's legal action this week also appears to have connections to China. The software company, based in Redmond, Wash., on Monday filed a suit against 27 unnamed "John Doe" defendants for violating federal laws against computer crime. Microsoft says they operated a global network of infected PCs—or "botnet," in computer- industry parlance—identified as Waledac.

More than 83% of unsolicited email originated from botnets at last year's close, says security software firm Symantec Corp.

Microsoft doesn't yet know their identities, but it says the defendants were linked to more than 270 Internet domain names from which Microsoft traced electronic instructions bound for the hacker network. The company said it is seeking to contact the defendants through registration information associated with those addresses.

Nearly all of the records list contact information in China, though hackers can easily misrepresent themselves when registering for Internet addresses. None of the China-based registrants of the suspect addresses, which include Bestgoodnews.com, Movies4thjuly.com and Lifegreetingcard.com, could be reached for comment.

The restraining order compelled VeriSign Inc., which oversees the registration of all domain names ending in ".com," to temporarily turn off the suspect Internet addresses. A VeriSign spokesman declined to comment.

Microsoft says the suspect Internet addresses can be thought of as a set of phone numbers that infected computers within the hacker network were programmed to call for instructions—for example, where to send spam or which Web site to overload with traffic.

By cutting off access to those addresses, Microsoft hopes to prevent the masterminds behind the network from reprogramming the infected PCs with a fresh batch of addresses to reach, blocking them from directing the network.

"We have a high degree of confidence this will be major blow to this botnet," said Richard Boscovich, a senior attorney in Microsoft's digital-crimes unit and a former federal prosecutor.

Other security experts were less convinced, saying that the Internet addresses Microsoft has brought down could be only a small percentage of the ones used by hackers to control the network. "The botnet will survive this in many cases," said Jose Nazario, a researcher at cyber-security company Arbor Networks.

The Federal Bureau of Investigation and law-enforcement agencies overseas have targeted similar networks.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, says companies have supplemented the efforts of law enforcement to fight cyber crimes by taking private court actions. America Online Inc., for example, sued spammers in the late 90s.

But Mr. Rotenberg also worries that actions like Microsoft's might become a form of "vigilantism" that entangles innocent victims. Indeed, the single U.S.-based registrant of a suspect Internet address in Microsoft's complaint, Stephen Paluck of Beaverton, Ore., said he was doing nothing wrong from his Internet address, Debtbgonesite.com. "I want it back," Mr. Paluck said.

Microsoft says it carefully analyzed the Internet addresses to ensure they are only being used for suspicious purposes and that Mr. Paluck's Internet address could have been infiltrated by a hacker. A Microsoft spokeswoman said the company is in discussions with Mr. Paluck.

Greg Garcia, a former assistant secretary in charge of cyber security at the Department of Homeland Security, said the risk of shutting down a legitimate Web site shouldn't deter a promising new technique to fight cyber crime. "Law enforcement snags innocent bystanders every now and then,'' Mr. Garcia said.